Wednesday, 25 January 2012

Banks Unite to Battle Online Theft

his month, security officials from Wall Street financial firms,
including Morgan Stanley and Goldman Sachs Group Inc., are expected to
meet with researchers from the Polytechnic Institute of New York
University to discuss the creation of a new type of center that would
sift through mountains of bank data to detect potential attacks, people
familiar with the situation said.
At the same time, Bank of America Corp. has begun hosting experts
from other major banks at quarterly informal roundtables, in which the
rivals try to devise solutions to cybersecurity threats, according to
other people.
Both initiatives are designed to encourage banks to work together to
better protect against hackers, whose efforts to shut down electronic
operations and steal money or customer data pose a growing concern for
the industry. Sony Corp., the Central Intelligence Agency and Citigroup
Inc. are just a few of the firms that cyber-rogues have targeted over
the past year.
Online attacks have increased sharply over the past two years and
financial institutions are among the most likely targets, according to
a new survey by PricewaterhouseCoopers LLP, the consulting firm. Avivah
Litan, an analyst with Gartner Research, expects financial companies to
increase spending on fraud detection and customer authentication
systems by as much as 12%, to $1 billion, over the next two years — a
record.
While many bank officials agree with the information-sharing in
principal, some are concerned that doing so could provide rivals with
too much insight into their operations.
At the NYU-Poly meeting, for instance, some bank officials are
expected to make the case that banks should scour their own data
internally, rather than provide information to outside researchers,
people familiar with the matter said.
Representatives for Morgan Stanley and Goldman Sachs declined to comment.
"The mentality of the banks has been, 'Let's do everything
internally because we don't want to give anything away,' " said Peyman
Mestchian, a managing partner with Chartis Research in London.
But hackers are forcing banks to abandon that old go-it-alone mindset in favor of a more-inclusive approach, executives said.
"We realized that just as the fraudsters collaborate with each
other, we as an industry must collaborate," said Keith Gordon, a Bank
of America senior vice president of security.
A graphic example of just how vulnerable banks are to hackers
occurred in 2010, when security experts from major financial firms
gathered in San Francisco for a conference.
As panel after panel discussed cyber threats and how to guard
against them, hackers carried out a real-life attack. Using what has
come to be known as the Zeus Trojan — a type of software that infects
computers and covertly tracks keystrokes to steal personal data —
thieves penetrated bank computer firewalls and stole millions of
dollars from their customers.
The security experts attending the conference emailed each other
furiously on their BlackBerrys and agreed to meet in person to discuss
the threat, according to a person who was there.
"That was the first time I remember people feeling open to talking about these threats," this person said.
At the most-recent meeting hosted by Bank of America in late summer
at its New York offices, executives discussed a type of online
espionage that involves a long-term pattern of persistent hacking
attempts known as "advanced persistent threats."
That approach figured in recent hacks against RSA, a unit of EMC
Corp., and Sony and are considered by most professionals to be the
leading cybersecurity threat of the day. Bank of America declined to
comment.
Banks also are working with Internet service providers in new ways
to better authenticate email traffic to prevent hackers from
impersonating employees and gaining access to customer data. Rather
than forcing the ISPs to make an educated guess about which emails to
let through, banks have started providing them with data that helps
them better verify the messages, according to Kelly Wanser, whose
company eCert Inc. acts as a clearing house for such data.
Sharing might be discouraged in other parts of banking, because of possible antitrust implications.
But the practice has been mandated in the world of cybersecurity
since 1998, when President Bill Clinton issued an order requiring the
public and private sectors work together to protect critical
infrastructure such as the financial system.
In response to that order, financial firms created an industry group
called the Financial Services Information Sharing and Analysis Center
to encourage banks to work together. Still, it is only recently that
banks have begun to lift the veil.